Merge tag 'selinux-pr-20250527' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

{

	struct task_security_struct *tsec;

	/* NOTE: the lsm framework zeros out the buffer on allocation */

	tsec = selinux_cred(unrcu_pointer(current->real_cred));

	tsec->osid = tsec->sid = SECINITSID_KERNEL;

	tsec->osid = tsec->sid = tsec->avdcache.sid = SECINITSID_KERNEL;

}

/*

				       struct dentry *dentry,

				       bool may_sleep)

{

	struct inode_security_struct *isec = selinux_inode(inode);

	might_sleep_if(may_sleep);

	if (!selinux_initialized())

		return 0;

	/*

	 * The check of isec->initialized below is racy but

	 * inode_doinit_with_dentry() will recheck with

	 * isec->lock held.

	 */

	if (selinux_initialized() &&

	    data_race(isec->initialized != LABEL_INITIALIZED)) {

		if (!may_sleep)

	if (may_sleep)

		might_sleep();

	else

		return -ECHILD;

	/*

		 * Try reloading the inode security label.  This will fail if

		 * @opt_dentry is NULL and no dentry for this inode can be

		 * found; in that case, continue using the old label.

	 * Check to ensure that an inode's SELinux state is valid and try

	 * reloading the inode security label if necessary.  This will fail if

	 * @dentry is NULL and no dentry for this inode can be found; in that

	 * case, continue using the old label.

	 */

	inode_doinit_with_dentry(inode, dentry);

	}

	return 0;

}

	return selinux_inode(inode);

}

static struct inode_security_struct *inode_security_rcu(struct inode *inode, bool rcu)

static inline struct inode_security_struct *inode_security_rcu(struct inode *inode,

							       bool rcu)

{

	int error;

	int rc;

	struct inode_security_struct *isec = selinux_inode(inode);

	error = __inode_security_revalidate(inode, NULL, !rcu);

	if (error)

		return ERR_PTR(error);

	return selinux_inode(inode);

	/* check below is racy, but revalidate will recheck with lock held */

	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))

		return isec;

	rc = __inode_security_revalidate(inode, NULL, !rcu);

	if (rc)

		return ERR_PTR(rc);

	return isec;

}

/*

 * Get the security label of an inode.

 */

static struct inode_security_struct *inode_security(struct inode *inode)

static inline struct inode_security_struct *inode_security(struct inode *inode)

{

	struct inode_security_struct *isec = selinux_inode(inode);

	/* check below is racy, but revalidate will recheck with lock held */

	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))

		return isec;

	__inode_security_revalidate(inode, NULL, true);

	return selinux_inode(inode);

	return isec;

}

static struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)

static inline struct inode_security_struct *backing_inode_security_novalidate(struct dentry *dentry)

{

	struct inode *inode = d_backing_inode(dentry);

	return selinux_inode(inode);

	return selinux_inode(d_backing_inode(dentry));

}

/*

 * Get the security label of a dentry's backing inode.

 */

static struct inode_security_struct *backing_inode_security(struct dentry *dentry)

static inline struct inode_security_struct *backing_inode_security(struct dentry *dentry)

{

	struct inode *inode = d_backing_inode(dentry);

	struct inode_security_struct *isec = selinux_inode(inode);

	/* check below is racy, but revalidate will recheck with lock held */

	if (data_race(likely(isec->initialized == LABEL_INITIALIZED)))

		return isec;

	__inode_security_revalidate(inode, dentry, true);

	return selinux_inode(inode);

	return isec;

}

static void inode_free_security(struct inode *inode)

				  struct dentry *dentry,

				  u32 av)

{

	struct inode *inode = d_backing_inode(dentry);

	struct common_audit_data ad;

	struct inode *inode = d_backing_inode(dentry);

	struct inode_security_struct *isec = selinux_inode(inode);

	ad.type = LSM_AUDIT_DATA_DENTRY;

	ad.u.dentry = dentry;

	/* check below is racy, but revalidate will recheck with lock held */

	if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))

		__inode_security_revalidate(inode, dentry, true);

	return inode_has_perm(cred, inode, av, &ad);

}

				const struct path *path,

				u32 av)

{

	struct inode *inode = d_backing_inode(path->dentry);

	struct common_audit_data ad;

	struct inode *inode = d_backing_inode(path->dentry);

	struct inode_security_struct *isec = selinux_inode(inode);

	ad.type = LSM_AUDIT_DATA_PATH;

	ad.u.path = *path;

	/* check below is racy, but revalidate will recheck with lock held */

	if (data_race(unlikely(isec->initialized != LABEL_INITIALIZED)))

		__inode_security_revalidate(inode, path->dentry, true);

	return inode_has_perm(cred, inode, av, &ad);

}

			    audited, denied, result, &ad);

}

static int selinux_inode_permission(struct inode *inode, int mask)

/**

 * task_avdcache_reset - Reset the task's AVD cache

 * @tsec: the task's security state

 *

 * Clear the task's AVD cache in @tsec and reset it to the current policy's

 * and task's info.

 */

static inline void task_avdcache_reset(struct task_security_struct *tsec)

{

	memset(&tsec->avdcache.dir, 0, sizeof(tsec->avdcache.dir));

	tsec->avdcache.sid = tsec->sid;

	tsec->avdcache.seqno = avc_policy_seqno();

	tsec->avdcache.dir_spot = TSEC_AVDC_DIR_SIZE - 1;

}

/**

 * task_avdcache_search - Search the task's AVD cache

 * @tsec: the task's security state

 * @isec: the inode to search for in the cache

 * @avdc: matching avd cache entry returned to the caller

 *

 * Search @tsec for a AVD cache entry that matches @isec and return it to the

 * caller via @avdc.  Returns 0 if a match is found, negative values otherwise.

 */

static inline int task_avdcache_search(struct task_security_struct *tsec,

				       struct inode_security_struct *isec,

				       struct avdc_entry **avdc)

{

	int orig, iter;

	/* focused on path walk optimization, only cache directories */

	if (isec->sclass != SECCLASS_DIR)

		return -ENOENT;

	if (unlikely(tsec->sid != tsec->avdcache.sid ||

		     tsec->avdcache.seqno != avc_policy_seqno())) {

		task_avdcache_reset(tsec);

		return -ENOENT;

	}

	orig = iter = tsec->avdcache.dir_spot;

	do {

		if (tsec->avdcache.dir[iter].isid == isec->sid) {

			/* cache hit */

			tsec->avdcache.dir_spot = iter;

			*avdc = &tsec->avdcache.dir[iter];

			return 0;

		}

		iter = (iter - 1) & (TSEC_AVDC_DIR_SIZE - 1);

	} while (iter != orig);

	return -ENOENT;

}

/**

 * task_avdcache_update - Update the task's AVD cache

 * @tsec: the task's security state

 * @isec: the inode associated with the cache entry

 * @avd: the AVD to cache

 * @audited: the permission audit bitmask to cache

 *

 * Update the AVD cache in @tsec with the @avdc and @audited info associated

 * with @isec.

 */

static inline void task_avdcache_update(struct task_security_struct *tsec,

					struct inode_security_struct *isec,

					struct av_decision *avd,

					u32 audited)

{

	int spot;

	/* focused on path walk optimization, only cache directories */

	if (isec->sclass != SECCLASS_DIR)

		return;

	/* update cache */

	spot = (tsec->avdcache.dir_spot + 1) & (TSEC_AVDC_DIR_SIZE - 1);

	tsec->avdcache.dir_spot = spot;

	tsec->avdcache.dir[spot].isid = isec->sid;

	tsec->avdcache.dir[spot].audited = audited;

	tsec->avdcache.dir[spot].allowed = avd->allowed;

	tsec->avdcache.dir[spot].permissive = avd->flags & AVD_FLAGS_PERMISSIVE;

}

/**

 * selinux_inode_permission - Check if the current task can access an inode

 * @inode: the inode that is being accessed

 * @requested: the accesses being requested

 *

 * Check if the current task is allowed to access @inode according to

 * @requested.  Returns 0 if allowed, negative values otherwise.

 */

static int selinux_inode_permission(struct inode *inode, int requested)

{

	int mask;

	u32 perms;

	bool from_access;

	bool no_block = mask & MAY_NOT_BLOCK;

	struct task_security_struct *tsec;

	struct inode_security_struct *isec;

	u32 sid = current_sid();

	struct av_decision avd;

	struct avdc_entry *avdc;

	int rc, rc2;

	u32 audited, denied;

	from_access = mask & MAY_ACCESS;

	mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);

	mask = requested & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);

	/* No permission to check.  Existence test. */

	if (!mask)

		return 0;

	if (unlikely(IS_PRIVATE(inode)))

		return 0;

	perms = file_mask_to_av(inode->i_mode, mask);

	isec = inode_security_rcu(inode, no_block);

	isec = inode_security_rcu(inode, requested & MAY_NOT_BLOCK);

	if (IS_ERR(isec))

		return PTR_ERR(isec);

	tsec = selinux_cred(current_cred());

	perms = file_mask_to_av(inode->i_mode, mask);

	rc = avc_has_perm_noaudit(sid, isec->sid, isec->sclass, perms, 0,

				  &avd);

	rc = task_avdcache_search(tsec, isec, &avdc);

	if (likely(!rc)) {

		/* Cache hit. */

		audited = perms & avdc->audited;

		denied = perms & ~avdc->allowed;

		if (unlikely(denied && enforcing_enabled() &&

			     !avdc->permissive))

			rc = -EACCES;

	} else {

		struct av_decision avd;

		/* Cache miss. */

		rc = avc_has_perm_noaudit(tsec->sid, isec->sid, isec->sclass,

					  perms, 0, &avd);

		audited = avc_audit_required(perms, &avd, rc,

				     from_access ? FILE__AUDIT_ACCESS : 0,

			(requested & MAY_ACCESS) ? FILE__AUDIT_ACCESS : 0,

			&denied);

		task_avdcache_update(tsec, isec, &avd, audited);

	}

	if (likely(!audited))

		return rc;

	rc2 = audit_inode_permission(inode, perms, audited, denied, rc);

	if (rc2)

		return rc2;

	return rc;

}

{

	int ret;

	struct sel_ib_pkey *pkey;

	struct sel_ib_pkey *new = NULL;

	struct sel_ib_pkey *new;

	unsigned long flags;

	spin_lock_irqsave(&sel_ib_pkey_lock, flags);

	if (ret)

		goto out;

	new = kmalloc(sizeof(*new), GFP_ATOMIC);

	if (!new) {

		/* If this memory allocation fails still return 0. The SID

		 * is valid, it just won't be added to the cache.

		 */

	new = kzalloc(sizeof(*new), GFP_ATOMIC);

	if (!new) {

		ret = -ENOMEM;

		goto out;

	}

	rcu_read_lock();

	pkey = sel_ib_pkey_find(subnet_prefix, pkey_num);

	if (pkey) {

	if (likely(pkey)) {

		*sid = pkey->psec.sid;

		rcu_read_unlock();

		return 0;

void sel_netnode_flush(void);

int sel_netnode_sid(void *addr, u16 family, u32 *sid);

int sel_netnode_sid(const void *addr, u16 family, u32 *sid);

#endif

#include "flask.h"

#include "avc.h"

struct avdc_entry {

	u32 isid; /* inode SID */

	u32 allowed; /* allowed permission bitmask */

	u32 audited; /* audited permission bitmask */

	bool permissive; /* AVC permissive flag */

};

struct task_security_struct {

	u32 osid; /* SID prior to last execve */

	u32 sid; /* current SID */

	u32 create_sid; /* fscreate SID */

	u32 keycreate_sid; /* keycreate SID */

	u32 sockcreate_sid; /* fscreate SID */

#define TSEC_AVDC_DIR_SIZE (1 << 2)

	struct {

		u32 sid; /* current SID for cached entries */

		u32 seqno; /* AVC sequence number */

		unsigned int dir_spot; /* dir cache index to check first */

		struct avdc_entry dir[TSEC_AVDC_DIR_SIZE]; /* dir entries */

	} avdcache;

} __randomize_layout;

enum label_initialized {

};

struct netif_security_struct {

	struct net *ns; /* network namespace */

	const struct net *ns; /* network namespace */

	int ifindex; /* device index */

	u32 sid; /* SID for this interface */

};

	POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,

	POLICYDB_CAP_NETLINK_XPERM,

	POLICYDB_CAP_NETIF_WILDCARD,

	POLICYDB_CAP_GENFS_SECLABEL_WILDCARD,

	__POLICYDB_CAP_MAX

};

#define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)